On Wed, 17 Jan 2001, Ashwin D spewed into the ether:
> > BTW if you are using dial up line, your IP address is dynamic, and
> > chances of breaking in your machine with root kit are practically
> > nil.
Fact check: A root kit is not something designed to give you root.
That is called an exploit.
A root kit is something designed to keep root open for you.
So you replace commonly found binaries with trojan ones.
For example, there is a ipop3d replacement daemon (ipop3d1.006e) which
will open a root shell whenever your telnet to port 100 on the
compromised host and type in the correct password.
Similarly the attacker will compromise lots of binaries(notably ls, ps,
top, w, who, netstat) to hide any new processes generated by him.
login is compromised to hide the bash history (and maybe mail passwords
to another machine). Your shell and tty themselves may be replaced.
And so on......
> Music to my Ears. Thanks. But I still want to track em down and kill
> 'em and hopefully learn something in the process
You can't let the fact that your address is dynamic be your defense.
You can get caught in a scan and compromised in a matter of minutes.
I do recommend a simple firewall using ipchains.
Block access for remote hosts to your machine for ports below 1024.
Allow only packets wih the syn bit set to come in from your external
interface. Log the rest so you know what is going on.
This should guard you some bit.
Also, stay up to date on patches (I wonder if PCQ will distribute
patches for RHAT at least)
Oh, and if you are looking to learn something and have the time (and
bandwidth to spare -- or even otherwise), subscribe to BUGTRAQ and
security-basics at securityfocus.com
Devdas Bhagat
--
The clothes have no emperor.
-- C.A.R. Hoare, commenting on ADA.
----------------------------------------------
LIH is all for free speech. But it was created
for a purpose. Violations of the rules of
this list will result in stern action.
